splinter icon indicating copy to clipboard operation
splinter copied to clipboard
verified publisher icon supabase

feat: add lint to detect RLS policies that allow access to anonymous users

Open kangmingtay opened this issue 1 year ago • 2 comments

What kind of change does this PR introduce?

  • adds a lint to check if there are any policies that allow access to anonymous users

What is the current behavior?

  • currently, if a user enables anonymous sign-ins for their project, they need to manually check existing RLS policies to see if any of them are compromised.

What is the new behavior?

  • this lint will highlight any policies that:
    • are associated to the authenticated, public, or any other role members
    • policies that don't contain the auth.jwt()->>'is_anonymous' expression in the policy definition

Additional context

Add any other context or screenshots.

kangmingtay avatar Apr 03 '24 08:04 kangmingtay

blocked on deciding how we can run lints conditionally on the platform - currently, there's no way to conditionally execute a lint from the splinter.sql file

kangmingtay avatar May 09 '24 03:05 kangmingtay